Microsoft Patches 18 Security Flaws in Windows, Office

Microsoft Corp. today released seven security updates to address 18 separate flaws in its Windows operating systems and Office software, including 13 problems that earned a "critical" severity rating, the company's most dire.

Microsoft labels a security hole as "critical" if it can be used to hijack vulnerable machines without any action on the part of the user. All but two of the flaws addressed in today's patches can be exploited on some version of either Microsoft Office or Windows to let attackers seize total control over a vulnerable system.

Three of the patches mend flaws in Microsoft Office, including eight specific to Microsoft Excel. As Security Fix noted in recent posts, software blueprints showing would-be attackers just how to exploit two of these Excel flaws are already available online.

The most serious of the Excel vulnerabilities affect versions found in Microsoft Office 2000. Unfortunately, patching this older version of Office takes a few more manual steps These users will need to fire up Internet Explorer and mosey on over to Microsoft's Office site and click on "Check for Updates" in the upper right-hand corner of the page.

If you are an Office 2000 user and have never installed an Office update before, you are in for a real treat. There are no fewer than three service packs (bundles of patches) worth of updates to install, and you will need to have your Office installation CD handy, as the Office patch installer will prod you to drop it into your CD-Rom drive at some point. Remember, if you're using Windows 2000, even if you have Windows configured to download and install patches automatically, the Office updates won't be installed. Whatever you do, don't put off installing these important fixes: Microsoft has acknowledged that hackers already are exploiting at least some of them to break into computers or steal information from victims.

Users of Microsoft Office XP or Office 2003 have it much easier -- they can quickly download the updates from Microsoft Update, the same place where Windows patches are made available. These vulnerabilities also are present in Microsoft Works Office 2004 for Mac systems, as well as in Office v. X for Mac. Users of those products can download the fixes directly from this link here.

One critical vulnerability fixed today that appears very serious is a critical flaw in the Windows DHCP service, which handles assigning the computer an Internet address when it first boots up or connects to a network. This vulnerability is present in fully patched versions of Windows 2000, Windows XP and Windows Server 2003.

Another dangerous security hole resides in the Windows "Mailslot" function, which handles certain communications traffic between Windows machines on the same network. Computer security company Symantec said it considers this flaw the most critical of today's security bulletins, as it could be used to rapidly compromise multiple systems within a network. This problem exists in all Windows 2000, XP and Server 2003 systems.

Under its support policy, today was to mark the last time Microsoft would ship security updates for Windows 98, Windows 98 Second Edition (SE), and WIndows Millenium Edition (ME) systems. As it happens, none of today's updates address those older OSes, unless you count the vulnerabilities in Microsoft Office, which could be (and probably are) running on millions of Windows 98 and ME machines.

Earlier today, Security Fix posted the results of a series of tests on which security software titles still play nice with Windows 98/ME, so if you're considering sticking with one of these operating systems for some time, you may want to check it out.

Update, 4:26 p.m. ET: The SANS Internet Storm Center echoes Symantec's concern over the seriousness of the Mailslot flaw. They note that it was co-discovered by Pedram Amini from TippingPoint and H D Moore from the the Metasploit Project, the latter of which offers system administrators a free, automated way to test whether their networks are vulnerable to certain security holes. Unfortunately, bad guys use this open-source tool as well, and the Metasploit team has a consistent track record of releasing working exploits for flaws they discover shortly after patches are released to fix them.

this posting alone might be enough for me to switch to a Mac. I'm on Windows 2000 & need a new computer, but I've been nervous about moving to XP. My security issues with W2K have been minimal, but I fear that wouldn't be the case on a new XP machine. I think it's time to go into hock & get a MacBook. Sigh.

So one more time Microsoft discovers through the pains of it's customers that their systems, Operating and Applications, are riddled with security holes that Microsoft Designers are unable to understand, discover, or prevent in the software design, code, and test cycle.

One of the biggest contributors to these problems is the intermixing of 'application unique data' and 'software execution sequence control' information. The following describes the underlying design problem in Microsoft's "Architecture". Microsoft only has a Stack. All the information that is used for program control (Push, Pop, Call, and Return) information used to transfer control between pieces of software is intermixed with application data read/write/program instructions (machine instructions). This is approach is fundamentally flawed. Microsoft plans to partially fix this by having Intel implement a bit in the hardware that controls how blocks of memory can be used by the computer. When set by the OS the bit prohibits instruction fetch from the stack. This keeps hackers from storing "Hijack Code" in the stack. It also limits Hackers ability to execute that code on the next "Return". This is part of the solution. The other half of the solution is to make the Push/Pop/Call/Return storage areas un-addressable to the applications. This Microsoft is not doing! More on this later, see 2) below.

I have followed Microsoft's software development process and products since DOS 2.0. I am amazed that company wide they appear to have a flawed software development process. I suspect that they also have no one who is the overall "Architect" of their products. Bill Gates claims he is the Architect, but our opinions as to the roles and responsiblities of a Software Architect are on opposite ends of the known software development process universe. Anyway lack of a software design, especially in the operating system (OS) and the design of APIs (application program interfaces to the OS), lead to exactly these types of security problems. Namely, holes in their overall system design and implementation that make Microsoft products an easy target for hackers.

I include four examples that drive the point home. One is simple. Early on Microsoft's was unable to create a consistent user interface to their applications. The second is more technical, the separation of data and control information. The third is Microsoft's uncontrollable desire to change the GUI (Graphical User Interface) for the OS and Applications. The fourth example is the size of the software modules and fixes.

1) USER INTERFACE: In the Win 95/98 time frame Microsoft did not have a consistent GUI (graphical user interface) to its Office applications. The hot key sequences and the GUI sequences that a user used to achieved a equivalent look to text parts of documents created with Word, Power Point, Excel, and Publisher we very different. This has gotten better starting with Office 97.

2) SEPERATION OF DATA AND CONTROL: Any one in the software industry that has a reasonable background in Computer Science SHOULD know that there are two different memory management schemes needed to protect the OS (Operating System) and Applications from each other, a Stack and a Heap. Traditionally a stack is a PUSH/POP/Call/Return structure that is addressed indirectly by application programs with commands like Push, Pop, Call, and Return. The application has no way to know where the stack is in memory. The Stack address is in a register that is not accessible to applications and is only modified by Push, Pop, Call and Return. The integrity of the CONTROL structure of program execution sequence relies on the applications inability to view, modify or corrupt the control structure store in the Stack. Protection of the Stack by direct application modification is the best protection. The second memory structure is a Heap. There should a Heap for each application execution environment. This is usually part of the addressable space for a dispatchable task. With this division in place for each dispatchable task (task = an entity that can be scheduled and dispatched/executed based on priority) having it's own Stack and Heap, Many of these security problems that Microsoft is experiencing are "DESIGNED OUT" of the system.

3) OS AND APPLICATION GUI: Microsoft fundamentally changes the interface the end user sees every major release (e.g., Win 3.1 to Win 95 to Win 98/ME to Win NT to Win 2000 to Win XP). The look and feel of the interface is usually the last part of the new system that is designed (?) and implemented. In changing the GUI they change navigation to functions, regroup functions for what appears to be no reason and even change the names of functions. This make the system and applications hard to use, cause a loss in productivity, and increase the training expense. However, it does increase Microsoft revenue in Support, Publications, and Training.

4) SIZE OF SOFTWARE AND PATCHES: The source of other exposures is size of the "Bloated" Microsoft Software. Part of this bloating is caused by inefficient code. Part of this is caused by the inefficiencies in the application that result from the API supported by Microsoft software. Another aspect is caused by the way Microsoft Support tools work. This includes compilers, language specific libraries, and the process implemented by Microsoft that builds the module that is actually loaded and executed on computers.
a) Compilers that do not generate optimized code generate more code than needed and the code takes longer to execute
b) Libraries, the code that actually provides most of the function a software language requires in order to be useful are monolithic. If the application uses one of the routines in the library the entire library is included in the module that executes on your computer. At any one time there could be multiple copies of the entire library loaded on your computer. In the extreme case one copy for each dispatchable task currently running.
c) Use of reentrant code allows one copy of code to be executed by multiple programs. DLLs are an example of reentrant code. Use of reentrancy can drastically reduce the storage requirements for applications
d) Creation of smaller executable modules by building the software in multiple, smaller pieces
The end effect of large code modules is
a) More disk space required
b) More physical memory required
c) More Virtual memory (swap file, hibernate file)
d) Longer install time
e) Longer patch download time
f) More disk space required to support software maintenance

All four of these have had, and in most cases are still having a huge negative impact on productivity, cost of training (end users and systems support), as well as time and resources required to maintain systems. I believe that if a complete analysis were done, one would find that the life cycle cost of having a computer, home or office, is completely dominated by the cost of application and OS maintenance. I believe that much of the cost is driven by the "WAY MICROSOFT DOES BUSINESS" from design, code, and test to support.

Conclusion:
I have worked with many small businesses and have observed that the benefit of using a computer to conduct business is approaching the point of being cost prohibitive. Unfortunately much of the cost is due to installing, upgrading and maintaining the software and retraining. The Post should research the cost in time and dollars that the additional software we are putting on computers to overcome, and block attacks that are invited by flaws in Microsoft Software, is really costing us. In addition evaluate the cost that Microsoft is causing by their inability to deliver "GOOD" software.

I have a large number of individuals I support (i.e. People I work with as volunteers at Youth Camp, Boy Scouts, Community Bands and Orchestras). These people are not highly computer literate. Most of them do not understand the risk or liability they are taking when they purchase a computer that uses Microsoft software. Most do not understand what their part in the process must be. Nor do they understand the level of diligence and perseverance it takes.

I pity the home user that only has dial up. Most are not willing to take the time and effort it takes to maintain their computer. Much of this consternation is due to the size of the Microsoft patches.

Question:
Considering all of this, would you trust Microsoft to create a "TRUSTED OS? An OS that did not require a bunch of third party software that attempts to control Hacker access to holes in Microsoft's Software design.

Have there been any reports of problems with these updates? I've installed them on one of my computers, and since the install something's been eating 25-45% of the system resources - without getting listed in Task Manager. This has me a bit concerned.

I am really tired about people complaining about Microsoft. If IBM had of taken Bill Gates' advise about Home PCs and what the growth would be, IBM would be top dog. They laughed at Bill and now Bill is rich and retired. We can sit here and point the finger at flaws in the programs, but what about designing a program to buy, that you think everyone can use. I am not impressed that the Computer Science major knows the complexities of programming. Design a system and put it on the market. Let's see if it is hack proof or resistant. Other than that stop whining. Because a lot of the people we know would not own a computer if it had not been for Windows. Let's go back to the days of command line interface and see how many computer go out to the curb.

I help with computer support issues, as well as training and development. The big issue today is that people in general are still afraid of the computer. A lot of people think the computer is smarter than they are and that is the real problem. As long as we(mankind) make computers and programming applications they will be flawed and be attacked by the rebels(hackers). If they were not attacking the systems there would not be the amount of problems we now have, but then the computing world would not grow. It is the game of life in the computer world, play or go home.

Responding to SH's comment of 7/13, I have been trying for days to track down why, all of a sudden, my Windows 2000 computer is crashing several times a day, why CPU usage stays at 100% for long stretches, even when the computer is idle, and why browsers take forever to load. Someone asked if I'd installed the last Windows Update (earlier last week) - and, yes, I had. It was the only significant change I could think of. He had also, and several of his computers have been going the same thing.

Found your blog Googling on the problem - thought I'd post, for what it's worth.

Does Microsoft get wind of these problems and provide fixes for them right away? I couldn't find anything useful on their site (in the Knowledge Base).